ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Validator Agent

v1.1.0

Validates project pre-deployment by running comprehensive security, testing, quality, documentation, CI/CD, privacy, maintainability, usability, marketabilit...

0· 747·1 current·1 all-time
by@up2itnow

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for up2itnow/validator-agent.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Validator Agent" (up2itnow/validator-agent) from ClawHub.
Skill page: https://clawhub.ai/up2itnow/validator-agent
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install up2itnow/validator-agent

ClawHub CLI

Package manager switcher

npx clawhub@latest install validator-agent
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md behavior (TypeScript and Solidity validation: tsc/forge, npm audit, tests, lint, type-coverage, docs/changelog checks) aligns with the skill name and description. However the skill does not declare the many runtime tools it actually expects (node/npm/npx, forge, slither, type-coverage, tail) — the packaged metadata lists only a generic 'exec' requirement. This mismatch means the agent environment may lack required binaries or the operator may be surprised by tools the skill will invoke.
!
Instruction Scope
The instructions tell the agent to cd into project folders and run project-provided commands (npm test, npm run lint, npx tsc, forge build/test, npm audit, npx type-coverage). Running those commands executes code and scripts from the target repository (package.json scripts, test/setup code, etc.), which can run arbitrary commands with the agent's privileges. The skill also reads workspace-level files (ops/test-baselines.md, package.json, README.md, CHANGELOG.md) and writes reports to ops/reports/..., so although the SKILL.md claims 'read-only', it writes output into the workspace. There are no instructions to limit or sandbox script execution.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, which minimizes install-time risk. There is no URL download or package install performed by the skill bundle itself.
Credentials
The skill declares no required environment variables or credentials, which is consistent with its stated checks. However it implicitly requires various binaries and tools (node/npm/npx, forge, slither, type-coverage, tail) that are not declared as required. That omission reduces transparency about the privileges and capabilities the skill will use at runtime.
Persistence & Privilege
The skill is not always-enabled and uses normal autonomous invocation settings. It does not request persistent system configuration changes in its files. The only notable behavior is saving reports into ops/reports/, which is normal for a reporting tool but contradicts the SKILL.md's 'read-only' claim about not modifying code.
What to consider before installing
This skill appears to do the validation tasks it describes, but it will execute project-provided scripts (npm test, npm run lint, forge commands, etc.) which can run arbitrary code from the repository. Before installing or running it: 1) only run the skill on projects you trust or inside an isolated environment (container, VM, CI runner with restricted permissions); 2) ensure the agent environment has the expected tools (node/npm/npx, forge, slither, type-coverage) or the skill may fail; 3) be aware it writes reports to ops/reports/, despite claiming to be 'read-only'; 4) prefer running this on CI or sandboxed machines rather than on a developer workstation with access to secrets; 5) note the package metadata and registry metadata mismatch and the skill has no published source/homepage — consider asking the publisher for provenance before use.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bf9f1w388fvssexk7yzzj8s81t17x
747downloads
0stars
2versions
Updated 3h ago
v1.1.0
MIT-0
@up2itnow
latest
Download

Validator Agent

Multi-round automated validation pipeline for TypeScript/Solidity projects. Runs 8 rounds of checks before any publish or deploy: compile gate, lint, test suite, security audit, type coverage, docs, changelog, and final review.

The gold standard — catches what manual review misses. Originally built to validate the agent-wallet-sdk before every npm publish. Now available as a reusable skill for any project.

When to Use

  • Before npm publish — run the full 8-round validation
  • Before merging a PR — run as a quality gate
  • After a dependency update — verify nothing regressed
  • On any TypeScript or Solidity project in the workspace

Quick Start

Run the Validator Agent on skills/agent-nexus-2/agent-wallet-sdk

Or trigger specific rounds:

Run Validator Agent round 0 (compile gate) on projects/mastra-plugin

The 8 Rounds

Round 0 — Compile Gate (BLOCKING)

cd <project> && npx tsc --noEmit 2>&1

If this fails, ALL subsequent rounds are BLOCKED. Nothing proceeds until compile is clean. This was added after a Feb 20 incident where broken types were published to npm.

Round 1 — Lint

cd <project> && npm run lint 2>&1 | tail -20

Check for lint errors. Warnings are noted but don't block. Errors block.

Round 2 — Test Suite

cd <project> && npm test 2>&1

Capture: total tests, passing, failing, skipped. Compare against baseline in ops/test-baselines.md if it exists. Any test count drop = regression = BLOCK.

Round 3 — Security Audit

cd <project> && npm audit 2>&1 | tail -15
  • 0 vulnerabilities → ✅ PASS
  • Moderate only (transitive) → ⚠️ WARN (note but don't block)
  • HIGH or CRITICAL → 🚨 BLOCK

Round 4 — Type Coverage

cd <project> && npx type-coverage 2>&1 || echo "type-coverage not installed — skip"

If available, report percentage. Target: >95%. Below 90% = WARN.

Round 5 — Documentation Check

  • Does README.md exist and reference current version?
  • Does CHANGELOG.md have an entry for the version being published?
  • Are all exported functions documented?

Round 6 — Changelog Verification

  • Read package.json version field
  • Read CHANGELOG.md — does it have an entry matching that version?
  • If no changelog entry for current version → BLOCK publish

Round 7 — Final Review Summary

Aggregate all rounds into a single verdict:

# Validator Agent Report — [project] — [timestamp]

## Verdict: [✅ PASS / ⚠️ WARN / 🚨 BLOCK]

| Round | Check | Result |
|-------|-------|--------|
| 0 | Compile | ✅/❌ |
| 1 | Lint | ✅/⚠️/❌ |
| 2 | Tests | ✅ X/X passing / ❌ regression |
| 3 | Security | ✅/⚠️/🚨 |
| 4 | Type Coverage | ✅ X% / ⚠️ / skipped |
| 5 | Docs | ✅/⚠️ |
| 6 | Changelog | ✅/❌ |
| 7 | Summary | [verdict] |

## Blocking Issues
[list or "None"]

## Warnings
[list or "None"]

## Recommendation
[PUBLISH / FIX FIRST / DO NOT PUBLISH]

Save report to: ops/reports/validator-YYYY-MM-DD-HH-[project].md

Configuration

The skill auto-detects project type from:

  • package.json → TypeScript/Node project
  • foundry.toml → Solidity/Forge project

For Solidity projects, Round 0 uses forge build instead of tsc, Round 2 uses forge test, and Round 3 uses forge audit (if slither is available).

Authority

  • This skill is read-only — it checks and reports, never modifies code
  • It produces a recommendation, never auto-publishes
  • Max or Bill must approve the publish after reviewing the report

Comments

Loading comments...